Pre-Installed Software Flaws Expose Dell Systems to Code Execution

Flaws in pre-installed software expose Dell systems to attacks that could result in the disabling of security mechanisms, privilege escalation, and arbitrary code execution within the context of the application user.

The vulnerable applications include the Dell Precision Optimizer application service software and Invincea-X and Invincea Dell Protected Workspace, Cisco Talos reveals in an advisory.

Tracked as CVE-2016-9038, the first vulnerability impacting Invincea-X, Dell Protected Workspace 6.1.3-24058, as a result of a device driver being read/write accessible to everyone, which can be triggered by sending specially crafted data to it.

“A successful exploitation results in an arbitrary value written to kernel memory space, which can lead to local privilege escalation,” Cisco explains.

Cisco also warns of CVE-2016-8732, an issue that involves multiple security flaws in the driver component of Invincea Dell Protected Workspace version 5.1.1-22303, a security solution for endpoints.

Weak restrictions on the driver communications channel and insufficient validation allow an attacker-controlled application executed on the vulnerable machine to leverage the driver and disable some of the protection mechanisms in the software. The bug was addressed in the 6.3.0 release of the application.

When the Dell PPO Service supplied by Dell Precision Optimizer starts, poaService.exe (located in “c:\Program Files\Dell\PPO\” loads the ati.dll from the same folder. The DLL, in turn, attempts to load atiadlxx.dll, which is not present by default in the directory, and the application searches “for an appropriately named DLL in the directories specified by the PATH environment variable.”

As soon as it finds a DLL with the same name, the app loads it into poaService.exe without checking its signature. Thus, an attacker could supply a malicious DLL of the correct name and achieve arbitrary code execution, Cisco explains.

According to Dell, there have been no known exploitations of this vulnerability reported to-date.

“Given that the Invincea Dell Protected Workspace is an application that is commonly deployed to secure workstations within high security environments, it is recommended that organizations using affected versions of this solution update to the latest version as quickly as possible to ensure that the protections provided by this software cannot be bypassed by an attacker,” Cisco notes.

"The vulnerability identified by Cisco Talos in the Dell Precision Optimizer application has been mitigated through a Dell Command update, which can be found here," a Dell spokesperson told SecurityWeek in an emailed statement. "Dell would like to thank those in the security community, such as Cisco Talos, whose efforts help us protect customers through coordinated vulnerability disclosure."